Skip to main content

McAfee Advanced Threat Defense

This Integration is part of the McAfee Advanced Threat Defense Pack.#

Overview

Use the McAfee Advanced Threat Defense integration to enhance protection from network edge to endpoint and enable investigation.

This integration was integrated and tested with MATD Version 4.2.2.16.

McAfee Advanced Threat Defense Playbooks

This integration is used in the following Cortex XSOAR playbooks.

  • McAfee ATD - Detonate URL
  • McAfee ATD - Detonate File

Use cases

  • Add a file to the integrations war room.
  • Sample a file.
  • Get information on an old sample.
  • Send a URL sample to McAfee ATD.

Configure McAfee Advanced Threat Defense on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for McAfee Advanced Threat Defense.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • Username
    • Password
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Upload a file: atd-file-upload
  2. Retrieve taskIDs: atd-get-task-ids
  3. Download an analysis report: atd-get-report
  4. Get a list of analyzer profiles: atd-list-analyzer-profiles
  5. Get a list of all users: atd-list-user
  6. Retrieve session details: atd-login
  7. Detonate a file: detonate-file (deprecated)
  8. Detonate a URL: detonate-url (deprecated)
  9. Check a task's status: atd-check-status

1. Upload a file

Upload a file or Web URL for dynamic analysis using the specified Analyzer Profile. You can only submit a single file or Web URL in each command.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command

atd-file-upload

Input
Argument Name Description Required
vmProfileList Analyzer profile ID. The profile ID number can be found in the UI Policy/Analyzer Profile page, OR using command atd-list-analyzer-profiles, under vmProfileid key result Optional
submitType This parameter accepts four values — '0', '1', '2' and '3'. • 0 — Regular file upload • 1 — URL submission — URL link is processed inside analyzer VM • 2 — Submit file with URL • 3 — URL Download — File from URL is firstly downloaded and then analyzed Required
url A valid URL Optional
messageId Maximum 128-character string. Optional
srcIp IPv4 address of the source system or gateway from where the file is downloaded. Optional
dstIp IPv4 address of the target endpoint. Optional
skipTaskId Value '0' indicates corresponding taskid in API response. Value '1' indicates -1 as taskid in API response. Optional
analyzeAgain Value '0' indicates skip sample analysis if it is analyzed previously . Value '1' indicates do not skip sample analysis if it is not analyzed previously. Optional
xMode Value '0' indicates no user interaction is needed during sample analysis. Value '1' indicates user interaction is needed during sample analysis. Optional
filePriorityQ This parameter indicates priority of sample analysis. run_now assigns highest priority (i.e., sample is analyzed right away), add_to_q puts sample in waiting state if there is a waiting queue of samples, default is run_now Optional
entryID entry ID f the file to upload Optional
fileName The name of the file Optional
Context Output
Path Type Description
ATD.Task.taskId number Task ID of the uploaded sample
ATD.Task.jobId number Job ID of the uploaded sample
ATD.Task.messageId string The message ID relevant to the uploaded sample
ATD.Task.url string The URL that was detonated
ATD.Task.srcIp string Source IPv4 address
ATD.Task.destIp string Destination IPv4 address
ATD.Task.MD5 string MD5 of the uploaded sample
ATD.Task.SHA1 string SHA-1 of the uploaded sample
ATD.Task.SHA256 string SHA-256 of the uploaded sample
ATD.taskId number The task ID of the uploaded sample
Command Example

!atd-file-upload submitType=1 analyzeAgain=1 filePriorityQ=run_now messageId="test the url of demisto" url=" https://demisto.com "!atd-check-status jobId=[220,34]

Context Example 
{  
   root:{  

   }   7   items estimatedTime:0   fileId:   just testing filesWait:0   mimeType:   application/url results:[  

   ]   1   item 0:{  

   }   12   items cache:0   destIp:null   file:   https:   //demisto.com md5:   xxx messageId:   sha1:   sha256:   size:19   srcIp:   submitType:1   taskId:388   url:   https:   //demisto.com subId:385   success:true
}
Human Readable Output

2. Retrieve taskIds

fetches the list of task id's associated with a job id

Base Command

atd-get-task-ids

Input
Argument Name Description Required
jobId Unique identifier for the previously submitted file Required
Context Output
Path Type Description
ATD.Task.jobId number taskId that corresponds to the jobId that was sent
ATD.Task.jobId number The jobId that was sent
Command Example

!atd-get-taskids jobId=${ATD.Task.jobId}M
!atd-get-taskids jobId=[220,34]

Context Example 
{  
   root:[  

   ]   2   items 0:{  

   }   2   items result:{  

   }   1   item taskIdList:220   success:true   1:{  

   }   2   items result:{  

   }   1   item taskIdList:221   success:true
}
Human Readable Output

3. Download an analysis report

Downloads the analysis report for a specific task.

Base Command

atd-get-report

Input
Argument Name Description Required
taskId The returned taskId value in the submission step, previously returned value in the File/URL submission step Optional
jobId Job ID Optional
type
  • html — HTML report
  • txt — Text report
  • xml — XML report
  • zip — All files packaged in a single zip file
  • json — Same as XML but in JSON format
  • ioc - Indicators of Compromise format
  • stix - Structured Threat Information expression. By default, Stix generation is disabled. Use set stixreportstatus enable to enable it.
  • pdf - Portable Document Format
  • sample - Download sample from McAfee Advanced Threat Defense
Required
threshold ATD severity (if exceeded, the file is considered malicious) Optional

Context Output
Path Type Description
File.Name string Filename (only if the report type is JSON)
File.Type string File type, for example "PE" (only if the report type is JSON)
File.Size number File size (only if the report type is JSON)
File.MD5 string MD5 hash of the file (only if the report type is JSON)
File.SHA1 string SHA-1 hash of the file (only if the report type is JSON)
File.SHA256 string SHA-256 hash of the file (only if the report type is JSON)
File.Malicious.Vendor string For malicious files, the vendor that made the decision
File.Malicious.Description string For malicious files, the reason for the vendor to make the decision
DBotScore.Indicator string The indicator we tested (only if the report type is JSON)
DBotScore.Type string The type of the indicator (only if the report type is JSON)
DBotScore.Vendor string Vendor used to calculate the score (only if the report type is JSON)
DBotScore.Score number The actual score (only if the report type is JSON)
File.EntryID string Entry ID of the sample
IP.Address string IPs relevant to the sample
InfoFile.EntryID string EntryID of the report file
InfoFile.Extension string Extension of the report file
InfoFile.Name string The name of the report file, which you can use later, for example, to send the report in an email as part of a playbook task. The report name is the the taskId, for example, 7173.pdf.
InfoFile.Info string Information for the report file
InfoFile.Size number Size of the report file
InfoFile.Type string Type of the report file
Command Example

!atd-get-report taskId=391 type=json

Context Example 
{  
   root:{  

   }   1   item Summary:{  

   }   20   items Bait:   Baitexe activated but not infected Behavior:[  

   ]   15   items 0:   Identified as --- by Gateway Anti-Malware 1:   Identified as --- by GTI File Reputation 2:   Identified as --- by GTI URL Reputation 3:   Identified as --- by Anti-Malware 4:   Altered Web Proxy Auto-Discovery Protocol (WPAD) for rerouting of the network traffic 5:   Modified time attribute of the specified file after its creation 6:   Modified file's time creation attributes 7:   Hid content by modifying its attributes 8:   Downloaded data from a webserver 9:   Modified INTERNET_OPTION_CONNECT_RETRIES:   number of times that WinInet attempts to resolve and connect to a host 10:   Connected to a specific service provider 11:   Manipulated an existing Windows service by its handle 12:   Created named mutex object 13:   Obtained user's logon name 14:   Set a filter function to supersede the top-level exception handler ( http:   //msdn.microsoft.com/en-us/library/vstudio/x85tt0dd.aspx ) DETversion:4.2   .0.171220 Data:{  

   }   3   items analysis_seconds:66   compiled_with:   Not Available sandbox_analysis:5   Environment:[  

   ]   6   items 0:Microsoft Windows 7 Professional Service Pack 1 (build 7601,
   version 6.1.7601),
   64-   bit 1:   Internet Explorer version:8.0   .7601.17514 2:   Microsoft Office version:2010   3:   PDF Reader version:9.0   4:   Flash player version:14.0   .0.145 5:   Flash player plugin version:14.0   .0.145 Files:[  

   ]   1   item 0:{  

   }   6   items FileType:0   Md5:   Name:   iexplore.exe Processes:[  

   ]   1   item Sha1:   Sha256:   Ips:[  

   ]   1   item JSONversion:1.002   MISversion:4.2   .0.22 OSversion:   win7sp1x64 Process:[  

   ]   1   item 0:{  

   }   3   items Name:   https:   //demisto.com Reason:   loaded by MATD Analyzer Severity:2   Processes:[  

   ]   1   item SUMversion:4.2   .0.22 Selectors:[  

   ]   5   items 0:{  

   }   3   items Engine:   Gateway Anti-Malware MalwareName:   --- Severity:0   1:{  

   }   3   items Engine:   GTI File Reputation MalwareName:   --- Severity:0   2:{  

   }   3   items Engine:   GTI URL Reputation MalwareName:   --- Severity:-1   3:{  

   }   3   items Engine:   Anti-Malware MalwareName:   --- Severity:0   4:{  

   }   3   items Engine:   Sandbox MalwareName:   --- Severity:2   Stats:[  

   ]   7   items 0:{  

   }   3   items Category:Persistence,
   Installation Boot Survival ID:0   Severity:2   1:{  

   }   3   items Category:Hiding,
   Camouflage,
   Stealthiness,
   Detection and Removal Protection ID:1   Severity:2   2:{  

   }   3   items Category:Security Solution / Mechanism bypass,
   termination and removal,
   Anti Debugging,
   VM Detection ID:2   Severity:2   3:{  

   }   3   items Category:   Spreading ID:3   Severity:2   4:{  

   }   3   items Category:Exploiting,
   Shellcode ID:4   Severity:0   5:{  

   }   3   items Category:   Networking ID:5   Severity:2   6:{  

   }   3   items Category:Data spying,
   Sniffing,
   Keylogging,
   Ebanking Fraud ID:6   Severity:0   Subject:{  

   }   9   items FileType:4096   Name:   https:   //demisto.com Timestamp:2018-05   -28   03:24:19   Type:   application/url md5:   xxxx parent_archive:   Not Available sha-1:   xxxxx sha-256:   xxxxxx size:19   URL_Reputation:[  

   ]   4   items 0:{  

   }   7   items category:   --- functional:   --- port:443   reputation:   Clean risk:   --- severity:-1   url:31.152   .142.194 1:{  

   }   7   items category:   Business functional:   Business/Services port:80   reputation:   Clean risk:   Information severity:-1   url:   DEMISTO.COM 2:{  

   }   7   items category:   Business functional:   Business/Services port:80   reputation:   Clean risk:   Information severity:-1   url:   HTTPS:   //DEMISTO.COM 3:{  

   }   7   items category:   --- functional:   --- port:80   reputation:   Failed risk:   --- severity:-2   url:   WIN-K0RA93TITV8 Urls:[  

   ]   3   items 0:{  

   }   8   items Category:   Business Functional:   Business/Services Port:80   Processes:[  

   ]   1   item 0:{  

   }   3   items Name:   iexplore.exe RelType:8   Sha256:   Reputation:0   Risk:   Information Severity:-1   Url:   DEMISTO.COM 1:{  

   }   8   items Category:   Business Functional:   Business/Services Port:80   Processes:[  

   ]   1   item 0:{  

   }   3   items Name:   iexplore.log RelType:8   Sha256:   Reputation:0   Risk:   Information Severity:-1   Url:   HTTPS:   //DEMISTO.COM 2:{  

   }   8   items Category:   --- Functional:   --- Port:80   Processes:[  

   ]   1   item 0:{  

   }   3   items Name:   iexplore.exe RelType:8   Sha256:   Reputation:15   Risk:   --- Severity:-2   Url:   WIN-K0RA93TITV8 Verdict:{  

   }   2   items Description:   Sample is somewhat suspicious:   final severity level 2 Severity:2   hasDynamicAnalysis:true
}
Human Readable Output

4. Get a list of analyzer profiles

Displays a list of analyzer profiles. Only the analyzer profiles that the user has access to are displayed.

Base Command

atd-list-analyzer-profiles

Input

There are no arguments for this command.

Context Output
Path Type Description
ATD.ListAnalyzerProfiles.Name string Analyzer's profile name
ATD.ListAnalyzerProfiles.AnalyzerProfileId number Analyzer's profile ID
ATD.ListAnalyzerProfiles.Description string Analyzer's profile description
ATD.ListAnalyzerProfiles.Sandbox boolean Whether the Analyzer's profile has access to the sandbox
ATD.ListAnalyzerProfiles.Internet boolean Whether the Analyzer's profile has access to the internet
ATD.ListAnalyzerProfiles.LocalBlackList boolean Whether the Analyzer's profile has access to the local block list
Command Example

!atd-list-analyzer-profiles

Context Example 
{  
   results:[  

   ]   4   items 0:{  

   }   55   items artimas:0   asm:0   aviraAV:0   consoleLog:0   createTime:2012-12   -01   02:16:01   customrules:0   default32OSName:   default64OSName:   defaultVM:0   dnnEnable:0   dropZip:0   dumpZip:0   family:0   filePassword:   filePassword1:   flp:0   gam:1   gml:0   gtiTS:1   gtiURLRep:0   heuristic:0   imageid:0   internet:0   lastChange:null   locBlackList:1   locWhiteList:0   logZip:0   maxExecTime:180   mfeAV:1   minExecTime:5   name:   xxxxxxxxxxxx netLog:0   netdriveZip:0   noPDF:0   ntvLog:0   openarchive:1   overrideOS:0   pe32:0   reAnalysis:1   recusiveAnalysis:0   runtimeArgument:   sandbox:0   selectedOSName:   sophosAV:0   ssAPIid:1   ssKeyid:1   ssLevelid:1   summary:1   userLog:0   userid:   xx vmDesc:   Only Down Selectors vmProfileid:   xx xMode:0   yaraScan:0   yararules:0   1:{  

   }   55   items artimas:0   asm:0   aviraAV:0   consoleLog:0   createTime:2018-01   -02   05:28:39   customrules:0   default32OSName:   default64OSName:   defaultVM:0   dnnEnable:0   dropZip:0   dumpZip:0   family:0   filePassword:   filePassword1:   flp:0   gam:1   gml:0   gtiTS:1   gtiURLRep:0   heuristic:0   imageid:0   internet:0   lastChange:2018-01   -02   05:28:39   locBlackList:0   locWhiteList:1   logZip:0   maxExecTime:0   mfeAV:1   minExecTime:0   name:   xxxxxxxxxx netLog:0   netdriveZip:0   noPDF:0   ntvLog:0   openarchive:1   overrideOS:0   pe32:0   reAnalysis:1   recusiveAnalysis:0   runtimeArgument:   sandbox:0   selectedOSName:   sophosAV:0   ssAPIid:0   ssKeyid:0   ssLevelid:0   summary:1   userLog:0   userid:   xx vmDesc:   vmProfileid:   xx xMode:0   yaraScan:0   yararules:0
}
Human Readable Output

5. Get a list of all users

Displays profile information for all McAfee Advanced Threat Defense users.

Base Command

atd-list-user

Input
Argument Name Description Required
userType User type associated with a user profile. For example NSP, MWG, STAND_ALONE (default), and so on. Optional
Context Output
Path Type Description
ATD.Users.FullName string User's full name
ATD.Users.UserId number User's ID
ATD.Users.LoginId string User's login ID
ATD.Users.UserType string User type

Command Example

!atd-list-user
!atd-list-user userType="NSP"

Context Example 
{  
   root:{  

   }   2   items results:[  

   ]   3   items 0:{  

   }   4   items fullName:   xxxxxxx idx:   xxxx loginId:   xxxxxx userType:   STAND_ALONE 1:{  

   }   4   items fullName:   xxxxxx idx:   xxx loginId:   xxxxxxxx userType:   STAND_ALONE 2:{  

   }   4   items fullName:   xxxxx idx:   xxx loginId:   xxxxx userType:   STAND_ALONE success:true
}
Human Readable Output

6. Retrieve session details.

Returns details for the current session.

Base Command

atd-login

Input

There are no arguments for this command.

Context Output
Path Type Description
ATD.Session.APIVersion string The API version used in the session
ATD.Session.IsAdmin boolean Whether the current user is an admin
ATD.Session.SessionId string Session ID
ATD.Session.UserId number The UserId of the user logged in to the session

Command Example

!atd-login

Context Example 
{  
   apiVersion:1.5   .0 isAdmin:1   matdVersion:4.2   .0.22 serverTZ:   PDT session:   xxxxxxxxxxxxxxxx userId:xxx
}
Human Readable Output

7. Detonate a file (deprecated)

Deprecated, use the McAfee ATD Detonate File playbook.

Base Command

detonate-file

Input
Argument Name Description Required
upload ID of the entry that contains the file to detonate Required
timeout Total wait time (in seconds) Optional
format Report format type Optional
threshold ATD severity (if exceeded, the file is considered malicious) Optional
fileName File name Optional
Context Output
Path Type Description
InfoFile.Name string File name (only if the report type is JSON)
InfoFile.Type string File type, for example "PE" (only if the report type is JSON)
InfoFile.Size number File size (only in case of report type=json)
InfoFile.MD5 string MD5 hash of the file (only if the report type is JSON)
InfoFile.SHA1 string SHA-1 hash of the file (only if the report type is JSON)
InfoFile.SHA256 string SHA-256 hash of the file (only if the report type is JSON)
InfoFile.Malicious.Vendor string For malicious files, the vendor that made the decision
InfoFile.Malicious.Description string For malicious files, the reason that the vendor made the decision
DBotScore.Indicator string The indicator that was tested (only if the report type is JSON)
DBotScore.Type string The type of the indicator (only if the report type is JSON)
DBotScore.Vendor string Vendor used to calculate the score (only if the report type is JSON)
DBotScore.Score number The actual score (only if the report type is JSON)
ATD.Task.taskId number The returned TaskId value in the submission step, previously returned value in the File/URL submission step
ATD.Task.jobId number The returned JobId value in the submission step, previously returned value in the File/URL submission step
ATD.Task.status string The task ID status (Completed or Analyzing)
ATD.Task.messageId string The message ID relevant to the uploaded sample
ATD.Task.url string The detonated URL
ATD.Task.srcIp string Source IPv4 address
ATD.Task.destIp string Destination IPv4 address
ATD.Task.MD5 string MD5 of the uploaded sample
ATD.Task.SHA256 string SHA-256 of the uploaded sample
ATD.Task.SHA1 string SHA-1 of the uploaded sample
IP.Address string IPs relevant to the sample

Command Example

!detonate-file upload=${File.EntryID} format=json timeout=240 threshold = 4

Context Example 
{  
   root:{  

   }   1   item Summary:{  

   }   12   items Behavior:[  

   ]   3   items 0:   Identified as --- by Gateway Anti-Malware 1:   Identified as --- by GTI File Reputation 2:   Identified as --- by Anti-Malware DETversion:4.2   .0.171220 Data:{  

   }   3   items analysis_seconds:1   compiled_with:   Not Available sandbox_analysis:0   JSONversion:1.002   MISversion:4.2   .0.22 OSversion:   StaticAnalysis Process:[  

   ]   1   item 0:{  

   }   3   items Name:   cd.exe Reason:   processed by down selectors Severity:-1   SUMversion:4.2   .0.22 Selectors:[  

   ]   4   items 0:{  

   }   3   items Engine:   Gateway Anti-Malware MalwareName:   --- Severity:0   1:{  

   }   3   items Engine:   GTI File Reputation MalwareName:   --- Severity:-1   2:{  

   }   3   items Engine:   Anti-Malware MalwareName:   --- Severity:0   3:{  

   }   3   items Engine:   Sandbox MalwareName:   --- Severity:0   Subject:{  

   }   9   items FileType:0   Name:   cd.exe Timestamp:2018-05   -28   04:40:22   Type:   PE32 executable (GUI) Intel 80386 md5:291   C213253332BB1B4B40080C9E9DE69 parent_archive:   Not Available sha-1:9   B8D214A558A60DAA461E388B7CAF8758C364A52 sha-256:60769   CE0928C5CED45DB71DDED5A6FD4DB6596BC52C3AC549EEBC7A385FC3D77 size:10240   Verdict:{  

   }   2   items Description:   Sample is clean according to the GTI's File Reputation Severity:-1   hasDynamicAnalysis:false
}
Human Readable Output

8. Detonate a URL (deprecated)

Deprecated, use the McAfee ATD Detonate URL playbook.

Base Command

detonate-url

Input
Argument Name Description Required
url URL to detonate Required
timeout Total wait time (in seconds) Optional
format Report format type Optional
threshold ATD severity (if exceeded, the file is considered malicious) Optional
Context Output
Path Type Description
InfoFile.Name string File name (only if the report type is JSON)
InfoFile.Type string File type, for example "PE" (only if the report type is JSON)
InfoFile.Size number File size (only if the report type is JSON)
InfoFile.MD5 string MD5 hash of the file (only if the report type is JSON)
InfoFile.SHA1 string SHA-1 hash of the file (only if the report type is JSON)
InfoFile.SHA256 string SHA-256 hash of the file (only if the report type is JSON)
InfoFile.Malicious.Vendor string For malicious files, the vendor that made the decision
InfoFile.Malicious.Description string For malicious files, the reason that the vendor made the decision
DBotScore.Indicator string The indicator that was tested (only if the report type is JSON)
DBotScore.Type string The type of the indicator (only if the report type is JSON)
DBotScore.Vendor string Vendor used to calculate the score (only if the report type is JSON)
DBotScore.Score number The actual score (only if the report type is JSON)
ATD.Task.taskId number The returned TaskId value in the submission step, previously returned value in the File/URL submission step
ATD.Task.jobId number The returned JobId value in the submission step, previously returned value in the File/URL submission step
ATD.Task.status string The task ID status (Completed or Analyzing)
ATD.Task.messageId string The message ID relevant to the uploaded sample
ATD.Task.url string The detonated URL
ATD.Task.srcIp string Source IPv4 address
ATD.Task.destIp string Destination IPv4 address
ATD.Task.MD5 string MD5 of the uploaded sample
ATD.Task.SHA256 string SHA-256 of the uploaded sample
ATD.Task.SHA1 string SHA-1 of the uploaded sample
IP.Address string IPs relevant to the sample
Command Example

!atd!detonate-url url=" https://mcafee.com " format=jsonlist-user

Context Example 
{  
   Summary:{  

   }   20   items Bait:   Baitexe activated but not infected Behavior:[  

   ]   15   items 0:   Identified as --- by Gateway Anti-Malware 1:   Identified as --- by GTI File Reputation 2:   Identified as --- by GTI URL Reputation 3:   Identified as --- by Anti-Malware 4:   Altered Web Proxy Auto-Discovery Protocol (WPAD) for rerouting of the network traffic 5:   Modified time attribute of the specified file after its creation 6:   Modified file's time creation attributes 7:   Hid content by modifying its attributes 8:   Downloaded data from a webserver 9:   Modified INTERNET_OPTION_CONNECT_RETRIES:   number of times that WinInet attempts to resolve and connect to a host 10:   Connected to a specific service provider 11:   Manipulated an existing Windows service by its handle 12:   Created named mutex object 13:   Obtained user's logon name 14:   Set a filter function to supersede the top-level exception handler ( http:   //msdn.microsoft.com/en-us/library/vstudio/x85tt0dd.aspx ) DETversion:4.2   .0.171220 Data:{  

   }   3   items analysis_seconds:66   compiled_with:   Not Available sandbox_analysis:5   Environment:[  

   ]   6   items 0:Microsoft Windows 7 Professional Service Pack 1 (build 7601,
   version 6.1.7601),
   64-   bit 1:   Internet Explorer version:8.0   .7601.17514 2:   Microsoft Office version:2010   3:   PDF Reader version:9.0   4:   Flash player version:14.0   .0.145 5:   Flash player plugin version:14.0   .0.145 Files:[  

   ]   1   item 0:{  

   }   6   items FileType:0   Md5:   Name:   iexplore.exe Processes:[  

   ]   1   item Sha1:   Sha256:   Ips:[  

   ]   1   item JSONversion:1.002   MISversion:4.2   .0.22 OSversion:   win7sp1x64 Process:[  

   ]   1   item 0:{  

   }   3   items Name:   https:   //demisto.com Reason:   loaded by MATD Analyzer Severity:2   Processes:[  

   ]   1   item SUMversion:4.2   .0.22 Selectors:[  

   ]   5   items 0:{  

   }   3   items Engine:   Gateway Anti-Malware MalwareName:   --- Severity:0   1:{  

   }   3   items Engine:   GTI File Reputation MalwareName:   --- Severity:0   2:{  

   }   3   items Engine:   GTI URL Reputation MalwareName:   --- Severity:-1   3:{  

   }   3   items Engine:   Anti-Malware MalwareName:   --- Severity:0   4:{  

   }   3   items Engine:   Sandbox MalwareName:   --- Severity:2   Stats:[  

   ]   7   items 0:{  

   }   3   items Category:Persistence,
   Installation Boot Survival ID:0   Severity:2   1:{  

   }   3   items Category:Hiding,
   Camouflage,
   Stealthiness,
   Detection and Removal Protection ID:1   Severity:2   2:{  

   }   3   items Category:Security Solution / Mechanism bypass,
   termination and removal,
   Anti Debugging,
   VM Detection ID:2   Severity:2   3:{  

   }   3   items Category:   Spreading ID:3   Severity:2   4:{  

   }   3   items Category:Exploiting,
   Shellcode ID:4   Severity:0   5:{  

   }   3   items Category:   Networking ID:5   Severity:2   6:{  

   }   3   items Category:Data spying,
   Sniffing,
   Keylogging,
   Ebanking Fraud ID:6   Severity:0   Subject:{  

   }   9   items FileType:4096   Name:   https:   //demisto.com Timestamp:2018-05   -28   03:24:19   Type:   application/url md5:   xxxx parent_archive:   Not Available sha-1:   xxxxx sha-256:   xxxxxx size:19   URL_Reputation:[  

   ]   4   items 0:{  

   }   7   items category:   --- functional:   --- port:443   reputation:   Clean risk:   --- severity:-1   url:31.152   .142.194 1:{  

   }   7   items category:   Business functional:   Business/Services port:80   reputation:   Clean risk:   Information severity:-1   url:   DEMISTO.COM 2:{  

   }   7   items category:   Business functional:   Business/Services port:80   reputation:   Clean risk:   Information severity:-1   url:   HTTPS:   //DEMISTO.COM 3:{  

   }   7   items category:   --- functional:   --- port:80   reputation:   Failed risk:   --- severity:-2   url:   WIN-K0RA93TITV8 Urls:[  

   ]   3   items 0:{  

   }   8   items Category:   Business Functional:   Business/Services Port:80   Processes:[  

   ]   1   item 0:{  

   }   3   items Name:   iexplore.exe RelType:8   Sha256:   Reputation:0   Risk:   Information Severity:-1   Url:   DEMISTO.COM 1:{  

   }   8   items Category:   Business Functional:   Business/Services Port:80   Processes:[  

   ]   1   item 0:{  

   }   3   items Name:   iexplore.log RelType:8   Sha256:   Reputation:0   Risk:   Information Severity:-1   Url:   HTTPS:   //DEMISTO.COM 2:{  

   }   8   items Category:   --- Functional:   --- Port:80   Processes:[  

   ]   1   item 0:{  

   }   3   items Name:   iexplore.exe RelType:8   Sha256:   Reputation:15   Risk:   --- Severity:-2   Url:   WIN-K0RA93TITV8 Verdict:{  

   }   2   items Description:   Sample is somewhat suspicious:   final severity level 2 Severity:2   hasDynamicAnalysis:true
}
Human Readable Output

9. Check a task's status

Checks the analysis status of up to 100 jobIDs/taskIDs

Base Command

atd-check-status

Input
Argument Name Description Required
taskId The returned TaskId value in the submission step, previously returned value in the File/URL submission step Optional
jobId Job ID Optional
Context Output
Path Type Description
ATD.status string The task ID status (Completed or Analyzing)
ATD.Task.taskId number This is the returned TaskId value in the submission step, previously returned value in the File/URL submission step
ATD.Task.jobId number The returned JobId value in the submission step, previously returned value in the File/URL submission step
ATD.Task.status string The task ID status (Completed or Analyzing)
ATD.Task.filename string The name of the uploaded sample
ATD.Task.MD5 string MD5 of the sample
ATD.Task.submitTime string Time the sample was submitted

Command Examples

!atd-check-status taskId=${ATD.Task.taskId}
!atd-check-status jobId=[220,34]

Context Example 

{  
   root:[  

   ]   2   items 0:{  

   }   16   items PEInfo:0   asmListing:0   family:0   filename:   xxxxxxx istate:1   jobid:218   md5:   xxxxxxxxxxxxxxxxxxx status:   Completed submitTime:2018-05   -08   03:56:34   summaryFiles:1   taskid:220   useLogs:0   userid:1   vmDesc:   vmName:   xxxxxxxxxxxxx vmProfile:   xx 1:{  

   }   16   items PEInfo:0   asmListing:0   family:0   filename:   xxxxx istate:1   jobid:219   md5:   xxxxxxxxxxxxxxxxx status:   Completed submitTime:2018-05   -12   19:23:33   summaryFiles:1   taskid:221   useLogs:0   userid:1   vmDesc:   vmName:   xxxxxxxx vmProfile:xx
}

Human Readable Output

Edit this page
Report an Issue